Philips is known for producing high end and efficient PageWriter Cardiograph devices. After the recent discovery of cyber security vulnerabilities in its devices which allow attackers to alter the devices’ settings to affect diagnosis, Philips has come forward saying in an ICS-CERT advisory that it does not intend to look into these vulnerabilities until the summer of 2019.
The Philips PageWriter Cardiograph devices take in signals through sensors attached to the body and use this data to create ECG patterns and diagrams that the physician is then able to consult to conclude a diagnosis. This process should not have any interference in itself to ensure the integrity of the measurements taken and graphs depicted, but it seems that manipulators are able to influence this data manually.
The vulnerabilities exist in Philips’ PageWriter modelsTC10, TC20, TC30, TC50, and TC70. The vulnerabilities arise from the fact that input information can be manually entered and hard coded into the interface resulting in improper input as the device’s system does not verify or filter out any of the data entered. This means that results from the device are directly correlated with what users put into them manually allowing for improper and inefficient diagnosis. The lack of data sanitization contributes directly towards the possibility of buffer overflow and format string vulnerabilities.
In addition to this data error exploit possibility, the ability to hard code data into the interface lends itself to the hard coding of credentials as well. This means that any attacker who knows the device’s password and has the device physically on hand can modify the device’s settings causing improper diagnosis using the device.
Despite the company’s decision to not look into these vulnerabilities till the summer of next year, the advisory published has offered a few pieces of advice for the mitigation of these vulnerabilities. The major guidelines for this revolve around physical security of the device: ensuring that malicious attackers are not able to physically access or manipulate the device. In addition to this, clinics are advised to initiate component protection in their systems, restricting and regulating what can be accessed on the devices.